The article WebView built in me.ash.reader.ui.component.webview.WebViewLayout.get() mutates two WebSettings flags inside the standardFontFamily when block:
ReadingFontsPreference.GoogleSans -> {
allowFileAccess = true
allowFileAccessFromFileURLs = true
"sans-serif"
}
ReadingFontsPreference.External -> {
allowFileAccess = true
allowFileAccessFromFileURLs = true
"sans-serif"
}Two concerns with this:
-
allowFileAccessFromFileURLs = true lets scripts running on a file:// page issue XHR requests against other file:// resources. The reader WebView is fed with article HTML via loadDataWithBaseURL / loadUrl and is not normally a file:// document, so the flag has no positive effect on font rendering, but it broadens the blast radius for any future code path or third-party HTML that does end up on a file URL. On minSdk <= 29 (this project ships minSdk = 26) it stays in effect on real devices.
-
allowFileAccess = true is unnecessary for the GoogleSans branch. Google Sans is bundled in app assets and reached via file:///android_asset/, which is allowed even when setAllowFileAccess(false) is in force on every supported Android version. So the flag only matters for the External font preference, where the user explicitly picks a font file from device storage.
CWE-200 (Exposure of Sensitive Information) is the closest CWE mapping for the universal flag combination on a JavaScript-enabled WebView that also registers a JS bridge (JavaScriptInterface.NAME).
Suggested fix:
- Drop both
allowFileAccess = true and allowFileAccessFromFileURLs = true from the GoogleSans branch.
- Drop
allowFileAccessFromFileURLs = true from the External branch and keep allowFileAccess = true there, since that mode genuinely loads a user-chosen file.
A PR with that change is open at #1277 and does not affect the font behaviour for any of the existing reading-fonts options.
The article WebView built in
me.ash.reader.ui.component.webview.WebViewLayout.get()mutates twoWebSettingsflags inside thestandardFontFamilywhenblock:Two concerns with this:
allowFileAccessFromFileURLs = truelets scripts running on afile://page issue XHR requests against otherfile://resources. The reader WebView is fed with article HTML vialoadDataWithBaseURL/loadUrland is not normally afile://document, so the flag has no positive effect on font rendering, but it broadens the blast radius for any future code path or third-party HTML that does end up on a file URL. OnminSdk <= 29(this project shipsminSdk = 26) it stays in effect on real devices.allowFileAccess = trueis unnecessary for theGoogleSansbranch. Google Sans is bundled in app assets and reached viafile:///android_asset/, which is allowed even whensetAllowFileAccess(false)is in force on every supported Android version. So the flag only matters for theExternalfont preference, where the user explicitly picks a font file from device storage.CWE-200 (Exposure of Sensitive Information) is the closest CWE mapping for the universal flag combination on a JavaScript-enabled WebView that also registers a JS bridge (
JavaScriptInterface.NAME).Suggested fix:
allowFileAccess = trueandallowFileAccessFromFileURLs = truefrom theGoogleSansbranch.allowFileAccessFromFileURLs = truefrom theExternalbranch and keepallowFileAccess = truethere, since that mode genuinely loads a user-chosen file.A PR with that change is open at #1277 and does not affect the font behaviour for any of the existing reading-fonts options.